Password reset questions

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

Share

“New” ideas about distributed computing?

The CEO of BitTorrent thinks we should think about using distributed computing to deal with upgrade issues over the Internet.

It sounds like a good idea.  So good, that you wonder why someone hasn’t thought of it before.  Well, surprise, surprise (unless you know Slade’s Law of Computer History), someone has.  How about Shoch and Hupp, who worked on the idea at Xerox PARC in the late 70s, and reported on it in 1980 and 1982?  Or Fred Cohen, who was quite vocal about using “good” viruses in the late 80s, and mentioned it in one of his earlier popular books?  Or Vesselin Bontchev, who, in the 90s, gave a detailed outline of what you have to do to make it work

Share

Western society is WEIRD [1]

(We have the OT indicator to say that something is off topic.  This isn’t, because ethics and sociology is part of our profession, but it is a fairly narrow area of interest for most.  We don’t have a subject-line indicator for that  :-)

This article, and the associated paper, are extremely interesting in many respects.  The challenge to whole fields of social factors (which are vital to proper management of security) has to be addressed.  We are undoubtedly designing systems based on a fundamentally flawed understanding of the one constant factor in our systems: people.

(I suppose that, as long as the only people we interact with are WEIRD [1] westerners, we are OK.  Maybe this is why we are flipping out at the thought of China?)

(I was particularly interested in the effects of culture on actual physical perception, which we have been taught is hard wired.)

[1] – WEIRD, in the context of the paper, stands for Western, Educated, Industrialized, Rich, and Democratic societies

Share

Read this book. If you have anything to do with security, read this book.

I have been reviewing security books for over twenty years now.  When I think of how few are really worthwhile that gets depressing.

However, Ross Anderson is always worth reading.  And when Ross Anderson first published “Security Engineering” I was delighted to be able to tell everyone that it was a worthwhile read.  If you are, in any way, interested in, or working in, the field of security, there is something there for you.  Probably an awful lot.

When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn’t trust me, they should read the first edition free, and then buy the second edition because it was even better.

Now Ross has made the second edition available, online, for free.

Everyone should read it, if they haven’t already done so.

(I am eagerly awaiting the third edition  :-)

Share

REVIEW: Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed, Jack Nuern

BKIDTHMA.RVW   20120831

“Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”, Jack Nuern, 2012
%A   Jack Nuern http://www.idtheftadvocates.com
%C   4901 W. 136 St., Leawood, KS, USA   66224
%D   2012
%G   ASIN: B0088IG92E
%I   Roadmap Productions
%O   fax 866-594-2771
%O  http://www.amazon.com/exec/obidos/ASIN/B0088IG92E/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/B0088IG92E/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/B0088IG92E/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   128 p.
%T   “Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”

Despite the implications of the title, this is not a primer for performing identity theft, but a guide to preventing and recovering from it.  The information, unfortunately, is fairly pedestrian, and most of it could be obtained from any magazine article on the topic.

Chapter one is a (very) basic introduction to identity theft, with a rather odd emphasis on the use of medical information.  Methods of identity theft are described in chapter two.  Unfortunately, this is where the book starts to show signs of serious disorganization, and some of the material is more sensational than helpful.  Chapter three lists some steps you can take to attempt to prevent identity theft.  The suggestions are the usual standards of not giving out any information to anyone, and the book tacitly admits that protection is not assured.

Chapter four gets to the real intent of the work: actions to take when your identity has been stolen and misused.  There is a great deal of useful content at this point, limited by two factors.  One is that everything discussed is restricted to institutions in the United States.  The other is that there is almost no discussion of what the entities mentioned can do for you or what they can’t or won’t.

As one could expect from a book written by a law firm, chapter five addresses the liability that the victim of identity theft faces.  The answer, unsurprisingly, is “it depends,” backed up with a few stories.  (Pardon me: “case studies.”)

There are some appendices (called, predictably, “Exhibits”).  Again, most of these will only be of use to those in the United States, and some, sections of related laws, will be of very little use to most.  There is a victim complaint and affidavit form which would probably be very helpful to most identity theft victims, reminding them of information to be collected and presented to firms and authorities.

The book is not particularly well written, and could certainly use some better structure and organization.  However, within its limits, it can be of use to those who are in the situation, and who frequently have nowhere to turn.  As the book notes, authorities are often unhelpful and take limited interest in identity theft cases.   And, as the book also (frequently) notes, the book is cheaper than hiring a law firm.

copyright, Robert M. Slade   2012     BKIDTHMA.RVW   20120831

Share

Memory lane …

I ordered a new computer before Christmas, and there have been delays getting it.  Today the shop called and said that the one I ordered (with 4 Gigs of RAM) was still short, but they did have one with 6 Gigs, if I was willing to pay an extra ten bucks.  So I said fine.

Got off the phone and told Gloria about it.  She asked “How many Commodores is that?” since I still have a Commodore 64 in the “computer museum” trunk.

32,000.  Give or take a few for rounding purposes.  For ten bucks, the equivalent memory of 32,000 Commodore 64 computers.

We work in a bizarre field.

Share

Online forum rule haikus

On the CISSPforum we were discussing precepts for getting along and keeping the discussions meaningful.  Somebody started listing rules, so I started casting them as haikus.  That prompted a few more.

I wondered if these were only for that group, but then realized most of them were applicable to online discussions of whatever type.  So, herewith:

 

Create your own space
Meaningful content only
Comes to those who post.

Silence calls silence
Lurkers don’t disturb quiet
Sleep beckons as well.

The posts are boring?
Raise topic of interest
Thread starter lauded.

Forum like sewer:
What you get out of forum
Depends on input.

Being creative
Is much better than being
Tagged as complainer.

These are your colleagues.
Why are you so much  better
That they must start first?

The forum that is
Is not what must always be.
Build a better world.

Friday is not for
Building new realities.
Your colleagues would sleep.

 

Then some other chimed in:

I remember trust
It disappeared so quickly
I guess we were fools

Pointing to resource
Always appreciated
Who can search the whole?

Putting platitudes
into pleasing haiku
removes sting of truth

Now you’re getting it.
Format is everything.  (Well,
And maybe context  :-)

friday gratitude
is here at last for resting
ignoring infosec

Friday at last! Time for
Bottles of overpriced wine.
Why’m I still at work???

Request not correct.
Reformat for this thread.
Please resubmit now.

UNSUBSCRPTION post
Jangles cosmic harmonies
Til balance achieved.

Share

Secure Awareness mottoes and one-liners

From various forums, mailing lists, discussions and other sources (many of which exist only in my febrile imagination), herewith a bit of a compilation of mottoes that can be used as part of a security awareness campaign:

No-one in Africa wants to GIVE anyone their money or gold.

Microsoft/Google/a Russian oil magnate/VW/BMW/etc certainly does not want to GIVE anyone money/a car/etc.

A stunning Russian blonde DOES NOT want to marry you.

If it sounds too good to be true, IT IS.

A web site, Email message, IM or tweet that tells you you need to install security software IS LYING.

Just because it’s in a Google search result or an “ad by Google” does NOT mean it is safe.

If the options seem to be “Click OK/Run/Install” or “turn off the computer”, TURN OFF THE COMPUTER.

Did your friend really send you that message?

Is your friend really as smart about computer security as you think?
A. No    B. Not at all    C. Well and truly not    D. All the above

You didn’t win the Irish lottery.

Your bank doesn’t want you to change your password.

Don’t be Phish Phood.

Pwnly Phools Phall for Phishing.

Think, THINK every click.

Need extra money?  Want to work from home?  Getting a job from a spammer is NOT A GOOD IDEA!!!

When did you last make a backup?  Do you want to do [period of time] worth of work all over again?

Report the suspicious, not the strange.

If the bank thinks your online account has been hacked, they won’t warn you by email.

Being sociable doesn’t mean being totally open. Be careful what you disclose via social media.

If someone wants/offers to make something really easy for you, there is a way that can be used against you.

Hide your ‘cheese’ (get a router).

A patch a day keeps hackers away (keep your OS and apps up to date).

Always wear a helmet (install a firewall/antivirus package).

The great unknown ain’t so great (only use software you can trust).

Use sunscreen to prevent burns (lock down your OS and apps).

Make 007 jealous (learn to use additional security tools).

“Password” is not a password (use strong passwords).

Keep your skeletons in the closet (protect your personal data).

Don’t be a dork (be smart when you’re on-line).

Keep your dukes up (stay informed and vigilant).

Infosec is like a sewer: what you get out of it, depends on what you put into it.

 

Some are recently from the #InfosecMotherlyAdvice tag on Twitter:

Don’t click … it’ll get infected.

Don’t take cookies from strangers.

Idle systems are a botnet’s playground.

A backup in hand is worth two in the cloud.

While you’re connected to my network you’ll live by my firewall rule.

A backup a day keeps data loss away.

We’d better get you a bigger firewall – you’ll grow into it.

Close the security holes, you’re letting all our sensitive data out.

If your system gets compromised and crashes, don’t come emailing to me.

Always encrypt your data. you never know when you’ll have an accident.

If everybody else clicked on links in emails, would you do that too?

Either you’re inside the firewall, or outside the firewall! Don’t leave it open!

Install your patches if you want your security to grow up big and strong.

Don’t put that in your browser, you don’t know where it’s been.

Someday your bluescreen will freeze like that!

It’s all fun and games until someone loses sensitive data.

Only you can prevent Internet meltdowns.

Share

Official (ISC)2 Guide to the CISSP CBK

Recently, on the CISSPforum, there was some discussion of the new, third edition of the Official (ISC)2 Guide to the CISSP CBK (which, I note, is pretending to be available as an ebook for only ten bucks).  At the end of one post, one of the correspondents stated that he was “leaning towards buying the new book.”

First, lemme say that, for those who haven’t yet got the cert, I do recommend the “Official Guide” as my first choice.  (Harris is easier to read, but does contain *lots* of errors, and I tell my seminar candidates that I refuse to answer any question that starts out “Shon Harris says …”   :-)

However, on the other hand … why would anyone who has the cert buy the guide?  Of course, I am speaking from the perspective of someone who does read the source literature (and I am aware that all too many of my colleagues do not).

I also recall at least two seminar attendees who actually did have the cert.  Furthermore, they were consultants, and thus going on their own dime for the course.  The reason given was the same: they charged by the hour, so any time spent upgrading was time they could not charge.  Therefore, regularly attending the seminar was the fastest, and therefore, in their situation cheapest, way to ensure they were current.

So, yes, I can see that some people would want to get the guide as a quick check.  (In that regard, I would tend to recommend ISMH instead of the guide, but …)  But I still find it kind of odd …

Share

Comparison Review: AVAST! antiviral

PCAVAST7.RVW   20120727
Comparison Review

Company and product:

Company: ALWIL Software
Address: Trianon Office Bldg, Budejovicka 1518/13a, 140 00, Prague 4
Phone:   00 420 274 005 777
Fax:     00 420 274 005 888
Sales:   +42-2-782-25-47
Contact: Kristyna Maz nkov /Pavel Baudis/Michal Kovacic
Email:   mazankova@avast.com baudis@asw.cz
Other:   http://www.avast.com
Product: AVAST! antiviral

Summary: Multilayered Windows package

Cost: unknown

Rating (1-4, 1 = poor, 4 = very good)
“Friendliness”
Installation      3
Ease of use       4
Help systems      1
Compatibility           3
Company
Stability         3
Support           2
Documentation           1
Hardware required       3
Performance             3
Availability            3
Local Support           1

General Description:

Multilayered scanning, activity-monitoring, and change-detection software.  Network protection including Web and email monitoring.

Comparison of features and specifications

User Friendliness

Installation

The product is available as a commercial package, but also as a free download for home or non-commerecial use.  As previously noted in other reviews, this is highly desirable not simply as a marketing and promotional effort by the company, but because making malware protection available to the general public reduces the malware threat for the entire computing and network environment.  One important
aspect is that the free version, unlike some antivirus products which reduce available functions, appears to be complete.  Scanning, disinfection, network protection, reporting, and management functions all seem to be included in the free version, making Avast a highly recommended product among free downloads.

I downloaded the free version, and installed it with no problem.  It was compatible with Windows 7, as well as previous versions.  The basic installation and configuration provides realistic protection, even for completely naive users.

Ease of use

With ten basic, and a larger number of minor, functions now included in the program, the interface is no longer very easy to figure out.  For example, one of the first things I (as a specialist) need to do is to turn off scanning of my “zoo” directory.  I initially thought this might be under the large “Maintenance” button.  No, “maintenance” is reserved for upgrading and buying additional features.  I did finally find the function I wanted under a much smaller “Settings” tab.  However, as noted, most users will not require any additional functions, and need not worry about the operation of the program.  The default settings provide decent protection, and updating of signatures, and even the basic program, is almost automatic.  (The updates for the free version do push the user to “upgrade” to the commercial version, but it is not necessary.)

I located (eventually) some great functions in the program which I found very helpful.  Admittedly, I’m a very special case, since I research malware.  But I really appreciated the fact that not only could I turn scanning off for a particular directory (my “zoo”), and that I could pull programs out of the quarantine easily, but that I could also turn off individual network protection functions, very easily.  Not only could I turn them off, but I was presented with options to stop for 10 minutes, 1 hour, until the next reboot, or permanently.  Therefore, I could turn off the protection for a quick check, and not have to remember to turn it on again for regular work and browsing.

However, I cannot commend Avast for some of the reporting and logging functions.  Late in the review period it reported an “infected” page, but refused to tell me where/what it is.  In addition, recently Avast has been blocking some of my email, and the message that an email has been blocked is the only available information.

Help systems

Help is available onscreen, but it is not easy to find.  There is no help button on the main screen: you have to choose “? Support,” and then, from a list of six items choose the last one, “Program Help.”  (The standard Windows F1 key does bring up the help function.)  Most other help is only available online via the Web, although there is a downloadable PDF manual.

Compatibility

The system scores well in malware detection ratings from independent tests.  I have been running Avast for over a year, and have not seen a false positive in a scan of the computer system.  I have observed only one false positive blockage of “known good” Websites or email, although this is of some concern since it involved the updating of another malware package under test.

Company Stability

Avast has been operating (previously as Alwil Software) for over twenty years.  The program structure is thoughtful and shows mature development.

Company Support

As noted, most is via the Web.  Unfortunately, in the recent case of a false positive the company, even though I had alerted them to the details of both the review and the warning I had noted, there was no useful response.  I received email stating that someone would review the situation and get back to me, but there was no further response.

Documentation

The documentation available for download is primarily for installation and marketing.

System Requirements

The system should run on most extent Windows machines.

Performance

The antivirus system has minimal impact on the computer system.  When performing a full scan, there are other programs that run faster, but Avast runs very well unattended.

As noted above, the free version has complete and very useful functionality.

Local Support

None provided.

Support Requirements

Basic operation and scanning should be accessible to the novice or average user.

copyright Robert M. Slade, 1995, 2012   PCAVAST7.RVW   20120727

Share

Beware! The “Metavirus”!

In the spirit of many infosec and antivirus company “announcements” of “new threats” in the past year:

A leading (if unemployed) information security and malware researcher, today noted startling developments (which were first mentioned in 1988, but we’ll leave out that bit) in cross-platform malware.

Dubbed the “metavirus,” this threat could completely swamp the Internet, and render literally billions of computers useless.  The chief researcher at the Vancouver Institute for Research into User Security has found that these entities can be created by almost anyone, even without programming knowledge or skills.  “This doesn’t even require a malware kit,” said Rob Slade, who has “discovered” this unregarded vulnerability.

Although the number of metavirus “families” are very small, in comparison to the millions of viruses, worms, and trojans discovered yearly, they are remarkably resistant to disinfection.  Infections tend to be clustered, and can affect almost all machines in an infected company, network or group.

“This is definitely cross-platform,” said Slade.  “It doesn’t rely on a specific operating system, program, or even virtual machine, like Java.”  Infections have jumped between Windows, Mac, Linux, iPhones, Android, and even CP/M and VMS machines.  Transmission can occur via email, sneakernet, wireless, and even phone and fax.  In all cases productivity is affected as time is lost.  In one class of the threat machines can be rendered inoperable.

Rob Slade can be made available for presentations on how to deal with this enormous threat.  Anyone wanting to protect themselves can send first class airfare, proof of prepaid hotel accommodation, and a bank draft for $15,000 deposit.  (US or Canadian dollars, whichever is higher at the time  :-)

Share

Bell bull

I recently re-upped with Bell Canada for cell phone service.  I bought new phones and upgraded the plan to include “unlimited” text messaging (since that’s how the grandkids mostly communicate).  The plan I got  is supposed to include picture and video messaging.

In order to use the picture messaging I am told, by both the kiosk and telephone personnel, to turn on the cellular data (not wifi: I’ve been a communications specialist for 30 years and I know the difference) connection on the phone.  Every time I do that I am charged $5.00 for “Pay per use flex data Data Usage.”

Each time I can get it reversed, but I have to spend 20 minutes getting through to an agent on the phone in order to do so.  (All the telephone agents initially insist that this is a “mobile browsing” charge, and I have to point out that I have turned off every app on the phone every time I try this.)

I am not being given the services it stipulates on my contract.

Right now I’m on the phone with Bell’s telephone “support.”  She’s already tried to get rid of me once by claiming to call “technical support.”  When I asked to speak to a supervisor, the agent did the same thing, but eventually put me through to “Puneet.”

I have spoken with supervisor “Puneet.”  She will not answer the simple question of how to access the services I am paying for.  Her only answer is that I upgrade to a data plan.

Therefore Bell is lying in it’s contract stating that I have access to picture and video messages.

Puneet has also just told me that Bell will no longer reverse or adjust any charges for using the picture messaging.

(Puneet did make one rather damaging admission late in the call: she did admit that, actually, Bell has no way to tell what the “Pay per use flex data Data Usage” is.  It could be updating.  It could be mobile browsing.  It could be Twitter.  It could, also, be the picture and video messaging for which I’m not supposed to be charged …)

Share

Airline security

Mom and my little sister were supposed to go on a cruise over Christmas.  The first leg of their flight to the embarkation port was cancelled when a door wouldn’t close.  The storm in the midwest, and the consequent meltdown of the North American air travel system, put paid to any chance of getting re-routed.  So they didn’t go.

The door that wouldn’t close on the first flight wasn’t an outside door, it was the cockpit door.  Mom was peeved.  Most people would have complained about the security policy that prevents takeoff without a locked cabin door.  Not Mom.  Her take was that there were lots of security guards around the airport, and that they could have just got one to stand in the doorway for the flight.

Share

Risks of Risk Assessment in Multiple Small Illumination Sources During Winter Conditions

Risks of Risk Assessment in Multiple Small Illumination Sources During Winter Conditions
Robert M. Slade, version 1.0, 20121220

Testing can be used to demonstrate the presence of bugs, but never their absence.
- testing aphorism

ABSTRACT

As follow-up research to the study “Risk Assessment and Failure Analysis in Multiple Small Illumination Sources During Winter Conditions” (first published in 2003, and available in the RISKS Digest), the author has undertaken a multi-year study attempting to reduce the level and risks of failure in the illumination network required for celebration of the Northern Hemisphere Mid-Winter Party Period and Gift Giving Season.  (The nodes in this network currently stand at approximately 900 sources, and a significant portion may be noted at Twitter.)

Testing of nodes (also known as “bulbs”) and subnets (also known as “strings”) has been a major component of the risk reduction strategy.  However, recent studies have indicated that testing itself may be a contributing factor in node and subnet failures.

INTRODUCTION

In terms of risk management, it is well known that there comes a point of diminishing returns in the process.  The father of quality control, Walter Deming, noted that there was such a thing as too much quality assessment.  Despite the greater accuracy of assessment, very few enterprises engage in full quantitative risk analysis, preferring the less accurate but less costly (in terms of time and resources) qualitative risk analysis.

This study looks specifically at the testing component of the risk management process, and notes the probability that testing may contribute to total risk or failure.

TESTING IN THE LIGHT CYCLE

For details of the light sources and portions of the process, we refer readers to the earlier study.  A brief outline of the light source cycle is in order at this point.

Towards the end of September, the female members of the household, in preparation for upcoming events, start to ask the male members of the household whether any purchases or other preparation is necessary.  (This generally corresponds to the initiation phase of the cycle.)  The male members of the household point out that Canadian Tire does not start selling Christmas lights or decorations until November.  (This portion of the communication protocol is not, as many suppose, for information purposes, but to deflect discussion from the fact that the notes on necessary purchases and replacements, made last year, are packed away with the Christmas decorations, and are therefore inaccessible.  Students of security may note that this is a good illustration of the importance of all three pillars of security: the confidentiality and integrity of the information is maintained, but availability is not.)  Testing at this point in the cycle might be useful, but is, unfortunately, impossible.

At some point in November, the male members of the household will have run out of excuses for not retrieving the Christmas decorations from storage.  At this point there is usually a mass retrieval of the decorations, and assessment of any items requiring replacement or supplement, or any perishable items which must be purchased each year.  (This corresponds to the requirements phase.)  Testing of light nodes and subnets may be done at this point.

This retrieval/requirements phase is generally followed by a design/planning phase.  To many researchers, it would appear that the ultimate result varies little from year to year, and that the design and planning is not necessary.  However, mature researchers will note that, as one becomes, well, “more experienced” in these matters, one notes a failing of memory as to the exact process from previous years, and sometimes even more recent events are difficult to …

I’m sorry, where was I?

Oh, yes.

Testing and failure rectification can be undertaken during the design phase.  Some researchers feel that this assessment point can be skipped, but experienced researchers know that failed nodes will inevitably be discovered on the back of the tree in such cases.

During the implementation phase, testing tends to be somewhat informal.  Since the light nodes are being placed individually, failure of a node is generally obvious.  However, if testing and rectification is not planned into the process, researchers inevitably find themselves balanced precariously on a stool at the back of the tree, with no replacement nodes, when a dead node or subnet is discovered.

The maintenance phase of the cycle generally runs from the first Sunday of Advent until January 6th (Feast of the Epiphany, last of the twelve days of Christmas).  Testing at this period is by observation.  Unfortunately, very much like testing, observation can usually tell you which nodes are shining, but not which ones are not.  As per the earlier study, it should be noted that a single node failure does not generally result in subnet failure, but that cumulative failures do.  Therefore, failure to observe and rectify individual node failures frequently result in subnet failures at some point during this phase.  Rectification following subnet failure at this point is extremely difficult, and usually impossible.

The termination phase of the cycle involves “undecorationing,” and return of items to storage.  Testing is possible at this point of the cycle, but is made problematic by a) fatigue, and b) haste in returning items to storage in order to allow for “spring cleaning.”

RESULTS OF TESTING AT DIFFERENT CYCLE PHASES

Initially, this study looked at testing by observation during the maintenance phase.  It was felt that by observation and ongoing rectification, nodes and subnets could be maintained, and would therefore be in good order upon retrieval the following year.

Unfortunately, the following year some nodes and subnets were found to be dead.  Therefore, testing at the termination phase was added.  This had the advantage of allowing notes to be taken during rectification, so that replacements could be purchased in advance, the year after.  As previously noted, this information was maintained, but was not available at a time when it would be useful.

Therefore, testing was added during the requirements phase.  All subnets were tested upon retrieval, replacements were purchased (if one could fight through the crowds at Canadian Tire), and rectification was done prior to implementation.  During implementation phase on that study, it was found that nodes and even subnets were still showing as failed.  This led to the addition of an additional testing point during the design/planning phase.

During this past cycle, all nodes and subnets were tested and rectified during the termination phase.  Upon retrieval, subnets were tested and any failures rectified.  During planning, subnets were again tested and failures rectified.  During implemenation, provision was made for rectification within the process.  So far, in the maintenance phase, failures have been rectified as soon as observed.  (One subnet failure was noted.  The attempt to rectify it was successful, but this is considered anomalous.)  Failure rates between testing points have been observed as high as 14% of total nodes.)

CONCLUSION

The results of the data collected are inescapable.  Testing results in failure.

ACKNOWLEDGEMENT

This study would not have been undertaken without the encouragement and support of Gloria J. Slade.

Share

“Feudal” and the young employee

In respect of Schneier’s article on “feudalism” in security (pledging “fealty” to a company/platform, and relying on the manufacturer/vendor to keep you safe), I’m sitting in a seminar for an ERP product from one of the “giants.”  The speaker has stressed that you need an “easy to use” system, since your young employees won’t attend or pay attention to training (on either systems or your business): they expect things to “just work.”

We’ve also just had a promo video from a company that uses the product.  Close to the ideal of a “virtual” company: head office is in one country, manufacturing in two more, and most of the user base shops online.  It is easy for the security professional to see that this is a situation fraught with peril: online access to vital business, manufacturing, and customer information, privacy issues with a diverse customer base, legal and privacy issues with multiple jurisdictions, and the list goes on.  This is not a situation where “plug and play” and turnkey systems are going to be able to address all the problems.

But, of course, the vendor position is just “Trust us.”

Share

Why can’t my laptop figure out what time zone I’m in, like my cell phone does?

We got new cell phones (mobiles, for you non-North Americans) recently.  In the time since we last bought phones they have added lots of new features, like texting, cameras, email and Google Maps.

This, plus the fact that I am away on a trip right now, and Gloria has to calculate what time it is for me when we communicate (exacerbated by the fact that I never change the time zone on the laptops to local time), prompted her to ask the question above.  (She knows that I have an NTP client that updates the time on a regular basis.  She’s even got the associated clocks, on her desktop, in pink.)

Cell phones, of course, have to know where they are (or, at least, the cellular system has to know where they are) very precisely, so they can be told, by the nearest cell tower, what time it is (or, at least, what time it is for that tower).

Computers, however, have no way of knowing where they are, I explained.  And then realized that I had made an untrue statement.

Computers can find out (or somebody can find out) where a specific computer is when they are on the net.  (And you have to be on the net to get time updates.)  Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways.  So it is quite possible for a laptop to find out what time zone it is in, when it updates the time.

Well, if it is possible, then, in these days of open source, surely someone has done it.  Except that a quick couple of checks (with AltaVista and Google) didn’t find anything like that.  There does seem to be some interest:

http://stackoverflow.com/questions/8049912/how-can-i-get-the-network-time-from-the-automatic-setting-called-use-netw

and there seems to be an app for an Android phone:

https://play.google.com/store/apps/details?id=ru.org.amip.ClockSync&hl=en

(which seems silly since you can already get that from the phone side), but I couldn’t find an actual client or system for a computer or laptop.

So, any suggestions?

Or, anybody interested in a project?

Share